Page MenuHome GnuPG

scdProject
ActivePublic

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity

Tue, Sep 14

werner lowered the priority of T5085: Filter APDUs in log output from Normal to Low.
Tue, Sep 14, 2:00 PM · Feature Request, gnupg (gpg22), scd

Tue, Aug 31

werner renamed T5583: Support RSCS dedicated OpenPGP for OID. from Support RSCS dedicated OpenPGP fpr OID. to Support RSCS dedicated OpenPGP for OID..
Tue, Aug 31, 5:26 PM · Restricted Project, gnupg (gpg22), scd
werner triaged T5583: Support RSCS dedicated OpenPGP for OID. as Normal priority.
Tue, Aug 31, 5:26 PM · Restricted Project, gnupg (gpg22), scd

Thu, Aug 26

Sanmilie added a comment to T5570: Add to detect external interference validation the card type : Securite carte à puce .

by the way when the applet is selected, I return
D2760001240103045343000000010000
this can be used to detect the manufacturer number

Thu, Aug 26, 7:09 PM · Feature Request, scd
Sanmilie added a comment to T5570: Add to detect external interference validation the card type : Securite carte à puce .

Card ATR at the cool reset
Card ATR is : 3B 9C 95 81 01 50 53 43 50 2D 53 43 53 56 31 2E 30 8E
Historical Byte is 53435356312E30
CARD ATS-to-ATR is : 3B 8C 80 01 50 53 43 50 2D 53 43 53 56 31 2E 30 0A
CARD ATS is : 11 78 80 B8 02 50 53 43 50 2D 53 43 53 56 31 2E 30
Historical Byte is 53435356312E30
This can by detected for the card type.

Thu, Aug 26, 6:57 PM · Feature Request, scd
werner added a project to T5570: Add to detect external interference validation the card type : Securite carte à puce : Feature Request.

Is there another way to to detect your card (I assume a Javacard) without relying on the openpgp card application vendor-id like we do it with the Yubikey? I want to avoid a possible early but expensive AID selection just to get the vendor-id.

Thu, Aug 26, 6:29 PM · Feature Request, scd
Sanmilie triaged T5570: Add to detect external interference validation the card type : Securite carte à puce as Normal priority.
Thu, Aug 26, 6:15 PM · Feature Request, scd

Wed, Aug 25

gniibe closed T5297: SCM SPR332 smartcard reader support broken as Resolved.
Wed, Aug 25, 3:33 AM · gnupg (gpg22), scd, Bug Report
gniibe closed T5425: scdaemon.conf reader-port setting broken in 2.3 as Resolved.

Fixed in 2.3.2.

Wed, Aug 25, 3:30 AM · gnupg, Testing, scd, Bug Report

Tue, Aug 24

werner closed T5416: [windows] Smartcards are less reliable under 2.3.1 (requires restarting gpg-agent.exe) as Resolved.
Tue, Aug 24, 7:59 PM · yubikey, scd, gnupg (gpg23), Bug Report
werner closed T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied as Resolved.
Tue, Aug 24, 7:58 PM · yubikey, Bug Report, scd
werner closed T5524: scd: serialize access of ctrl->card_ctx as Resolved.
Tue, Aug 24, 7:58 PM · gnupg (gpg23), Testing, scd

Aug 13 2021

werner changed the edit policy for scd.
Aug 13 2021, 11:14 PM

Aug 3 2021

werner added a project to T5539: Key generation on OpenPGP Version 3.4 card fails: can't replicate.
Aug 3 2021, 11:52 AM · can't replicate, OpenPGP, scd, Bug Report, gpg4win
werner triaged T5539: Key generation on OpenPGP Version 3.4 card fails as Normal priority.
Aug 3 2021, 11:48 AM · can't replicate, OpenPGP, scd, Bug Report, gpg4win

Jul 30 2021

werner triaged T5538: gpg-agent's keytocard cmd should use a better default creation time. as Normal priority.
Jul 30 2021, 1:24 PM · scd, gpgagent, gnupg (gpg23)

Jul 28 2021

werner closed T4791: Switch between PIV and OpenPGP app w/o reentering the PIN as Resolved.

Works for a long time now (unless we broke it again;-)

Jul 28 2021, 3:21 PM · scd, yubikey

Jul 22 2021

gniibe added projects to T5524: scd: serialize access of ctrl->card_ctx: Testing, gnupg (gpg23).
Jul 22 2021, 4:38 AM · gnupg (gpg23), Testing, scd
gniibe changed the status of T5524: scd: serialize access of ctrl->card_ctx from Open to Testing.
Jul 22 2021, 4:38 AM · gnupg (gpg23), Testing, scd

Jul 16 2021

gniibe added a comment to T5524: scd: serialize access of ctrl->card_ctx.

This rwlock guarantees access with ctrl->card_ctx is always valid.

Jul 16 2021, 8:42 AM · gnupg (gpg23), Testing, scd
gniibe created T5524: scd: serialize access of ctrl->card_ctx.
Jul 16 2021, 8:40 AM · gnupg (gpg23), Testing, scd

Jul 6 2021

werner lowered the priority of T4884: PKCS #15 support in gpgsm from High to Normal.
Jul 6 2021, 6:12 PM · Feature Request, gnupg, scd, S/MIME

Jun 28 2021

Sanmilie added a revision to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied: D535: More general for large scale multi-apps card in pcsc-shared context. .
Jun 28 2021, 6:18 AM · yubikey, Bug Report, scd
Sanmilie added a task to D535: More general for large scale multi-apps card in pcsc-shared context. : T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.
Jun 28 2021, 6:18 AM · scd
Sanmilie requested review of D535: More general for large scale multi-apps card in pcsc-shared context. .
Jun 28 2021, 6:17 AM · scd

Jun 25 2021

werner added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

FWIW: We have always refused to support shared mode because we anticipated such problems. However, we have a customer using their own cards along with card maintenance software of them. For their purposes PCSC_SHARED works just fine makes and this is why I decided to add --pcsc-shared along with a warning that it is in general not a good idea.

Jun 25 2021, 8:54 AM · yubikey, Bug Report, scd
Sanmilie added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

You need to protect only 2 critical set of ADPU sequence Sign and Decrypt. All other can be done not safely and have a minor impact. Get generation and cards unlock can be profitable with the transaction mode... but is very rare user makes another use of the card in same time he start that’s command. The check external interference can protect from a bad start. I have started this ticket because my card suffer in exclusive mode render the use of openpgp not really usable. When my card is an pcsc-shared mode, all it's OK but the daemon not able to restore after external interference. The correction proposed is OK but I have made recommendations because this can cause a bad applet switch... if the state does not restore before trying to switch applet all it's OK. I am not actually able to set directly differential code but I have described in the patch the change I have made and this make my card very happy. Not problems and the pin was queried if another application makes interference.

Jun 25 2021, 4:18 AM · yubikey, Bug Report, scd
gniibe added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

There are multiple issues here.

Jun 25 2021, 2:59 AM · yubikey, Bug Report, scd

Jun 24 2021

Sanmilie requested changes to D534: scdaemon patch to support some situation with PCSC_SHARED (not all).

OK I have finally success to test... the master version has a problem with opening pcsc readers on windows I revert back on older version to able to correct this problem. For the current patch without yubikey reference. I suggest validating the interference in the first task for the maybe_switch app function.

Jun 24 2021, 6:40 PM · yubikey, scd

Jun 23 2021

gniibe closed T5413: Unblock PIN by Reset Code as Resolved.
Jun 23 2021, 7:12 AM · Testing, gnupg, scd

Jun 21 2021

Sanmilie added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

In fact, the trigger is not yubikey but the pcsc-shared flag... If the pcsc-shared flag is enabled, you do check for interference because you are in shared condition. It is not really a race condition because you can put the driver in transaction mode. It’s more a turn-by-turn games but you can lose the card context status between turn.
If you lock the patch only for yubikey I’m not able to test with my device. You can add my manufacturer ID in the test please.

Jun 21 2021, 8:51 AM · yubikey, Bug Report, scd
gniibe added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

Thank you for your explanation.

Jun 21 2021, 6:16 AM · yubikey, Bug Report, scd
gniibe requested review of D534: scdaemon patch to support some situation with PCSC_SHARED (not all).
Jun 21 2021, 6:10 AM · yubikey, scd
Sanmilie added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

It's not a device is a card. NXP P71 security chips on the card in the 250Kb Rom with GlobalPlateform 2.1.1 It is not possible for a card to change CCID by applet. Card depends of reader CCID. When the card is on NFC readers, the FIDO applet is accessible not when it is on contact readers. But, when I am in NFC FIDO share the CCID. For the user point of view having multiple card for each applet is a bad thing to devices for one user. User search presently for multipurpose devices. DOOR, Login, Email-crypt, ledger. Actually for app is not recommended to use a reader in exclusive mode. By designs the card is stateless and for memory management deselect applet free mem from other applet. Presently in the best case the card has 144-255 KB of eeprom and 2k or ram.

Jun 21 2021, 4:43 AM · yubikey, Bug Report, scd
gniibe added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

If your token/card is not Yubikey and when it is possible to improve your token/card implementation, I would suggest not follow what Yubikey does for multiple applications; No multiple applications, but each feature with independent access (card+CCID, another card+different CCID, FIDO+HID, ...).

Jun 21 2021, 2:08 AM · yubikey, Bug Report, scd

Jun 20 2021

Sanmilie added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

i'am not able to test... i can't build for win32. i have some trouble with my mingw32 installation and the miss match with library for build a functional version of gnupg for win32.
seem missing dll after make install folder. do you have instruction to setup dev environment for build win32 binary ? I use a ubuntu with minwg32. ntbtls seem missing ksba but libksba is already install verion 1.6.0 other project detect correctly ksba. it's seem is a little bit complicated juste for building scd project. a make it working correctly on windows environements.

Jun 20 2021, 11:09 AM · yubikey, Bug Report, scd

Jun 19 2021

Sanmilie added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

Ok i have seen a problem with a double check here

Jun 19 2021, 7:26 AM · yubikey, Bug Report, scd

Jun 18 2021

Sanmilie added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

Ok, I test this, this seem can be corrected 90% of all possible interference with another application on multi-applet smartcard in shared readers context. I left you the feel back when have tested… thank for the prompt response.

Jun 18 2021, 6:05 PM · yubikey, Bug Report, scd
gniibe added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

For the problem of external application switch, please test this:

diff --git a/scd/app-common.h b/scd/app-common.h
index dffe1200d..d6e6f4c0a 100644
--- a/scd/app-common.h
+++ b/scd/app-common.h
@@ -194,6 +194,8 @@ struct app_ctx_s {
                       void *pincb_arg);
     gpg_error_t (*with_keygrip) (app_t app, ctrl_t ctrl, int action,
                                  const char *keygrip_str, int capability);
+    gpg_error_t (*check_aid) (app_t app, ctrl_t ctrl,
+                              const unsigned char *aid, size_t aidlen);
   } fnc;
 };
Jun 18 2021, 4:58 AM · yubikey, Bug Report, scd
gniibe added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

Here is the reference to GID specification:
https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn642100(v=vs.85)?redirectedfrom=MSDN

Jun 18 2021, 3:56 AM · yubikey, Bug Report, scd
gniibe added a project to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied: yubikey.

Let me add the tag "yubikey".
I think that it could be solved in different level, if I were the device manufacturer; And it would give users the best solution.

Jun 18 2021, 3:16 AM · yubikey, Bug Report, scd

Jun 17 2021

gniibe added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

If something more user friendly is required, it could be possible for higher layer (SCDaemon's command handling) to check verification status beforehand, and do error recovery there.

Jun 17 2021, 9:53 AM · yubikey, Bug Report, scd
gniibe added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

I don't think we should do automatic error recovery from 6982 to retry decryption/signing, inside CMD_PSO (0x2A) operation.

Jun 17 2021, 9:48 AM · yubikey, Bug Report, scd
gniibe lowered the priority of T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied from High to Normal.
Jun 17 2021, 9:44 AM · yubikey, Bug Report, scd
Sanmilie added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

I have tried the case 1 with log activated
Windows switches applet for signing Adobe Acrobat doc.
This is the log from agent - Say Bad NIP but he never tries to use the nip SCDaemon have tried to decrypt only.
gpg-agent[8496]: DBG: agent_put_cache '1//'.-1 (mode 6) requested ttl=-1
gpg-agent[8496]: DBG: chan_0x000001c0 <- S SERIALNO D2760001240103045343000000010000
gpg-agent[8496]: DBG: chan_0x000001c0 <- OK
gpg-agent[8496]: DBG: chan_0x000001c0 -> KEYINFO BBD342CA5B0F978DA17F2AD9F5A1E95FF50C129E
gpg-agent[8496]: DBG: chan_0x000001c0 <- S KEYINFO BBD342CA5B0F978DA17F2AD9F5A1E95FF50C129E T D2760001240103045343000000010000 OPENPGP.2
gpg-agent[8496]: DBG: chan_0x000001c0 <- OK
gpg-agent[8496]: DBG: chan_0x000001c0 -> SETDATA 4F0E7600C2C497A06288DF49B7EA1BC723E04FAC360D6D6C4F4DC1B48DEC13A53556229CDC4562E349C9B5E71365561A941761D1D2C709A16488903AA60925A7B103DEF6B6AE46814370AE815BFBE4A30EC443904C1D63E21ABF5B0B39B8484F3CB4235AEDA04F78F14308AE3DEF52309FB745BC65E3075D19C01C789C8F58931D957D7C26BE7DCEF6B880B362251246FA4E1A2830A13AD94635CC4CE14B0F253481F38C39BA5CC748FDF03F9D936B9C8DE6BF7E49AFF4BE3A84A4E4547FADD4C9F1634416641FF804F3503CC924098F1C4CAA908FD272737312A4D5BE59C644EE1633AA248DC996EF67BA5E087DB6312BD2014BFAFD62FD08C7D45E3AFD431C
gpg-agent[8496]: DBG: chan_0x000001c0 <- OK
gpg-agent[8496]: DBG: chan_0x000001c0 -> PKDECRYPT BBD342CA5B0F978DA17F2AD9F5A1E95FF50C129E
gpg-agent[8496]: DBG: chan_0x000001c0 <- ERR 100663383 Mauvais code personnel <SCD>
gpg-agent[8496]: smartcard decryption failed: Mauvais code personnel
gpg-agent[8496]: command 'PKDECRYPT' failed: Mauvais code personnel <SCD>
gpg-agent[8496]: DBG: chan_0x00000270 -> ERR 100663383 Mauvais code personnel <SCD>

Jun 17 2021, 8:53 AM · yubikey, Bug Report, scd

Jun 16 2021

Sanmilie added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

When a card sends 0x6982 in general rule is not really an error is a warning to say, your security environment was not correctly initialized.
This is true with almost applet. (PIV – GIDS – OPenPGP)
The instruction 0x2A to perform security operation return 0x6982 when pin is not authenticated or key is badly selected. This not decrement pin counter.

Jun 16 2021, 6:07 PM · yubikey, Bug Report, scd
gniibe added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

Possible way would be: (for newer card/token of OpenPGPcard 3.4 or later) before crypto operations, we can ask card/token if authentication state is consistent to the one of scdaemon and if not reselect AID.

Jun 16 2021, 10:30 AM · yubikey, Bug Report, scd
gniibe added a comment to T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied.

I'd like to support your use case. Could you please tell me about: How can we distinguish normal failure of 6982 and unusual failure of other application interference which results 6982?

Jun 16 2021, 8:50 AM · yubikey, Bug Report, scd

Jun 11 2021

Sanmilie triaged T5484: SCDaemon Not reselect applet and reauthenticate when the card send Security Not Sastisfied as High priority.
Jun 11 2021, 8:02 AM · yubikey, Bug Report, scd

May 28 2021

gniibe merged task T5451: disable-ccid breaks gpg-agent caching on MacOS (gpg 2.3.1) into T5436: gpg-agent 2.3.1: PIN caching not working for decrypt operations.
May 28 2021, 3:23 AM · scd, gnupg (gpg23), MacOS, Bug Report